International Data Transfers in the Limbo of Brexit

In the final days of the countdown to Brexit the possibility of an agreement with the European Union is still uncertain, and doubts still remain on the future of personal data flows from and towards the United Kingdom. In fact, despite the political arrangement reached on 14 November 2018 (the “Withdrawal Agreement”), to date, this agreement has not yet been ratified and the ratification or non-ratification will have significant consequences for international data transfers between the United Kingdom and Italy. As explained by the U.K. Government[1] in a paper issued on 26 February 2019 on the implications of the U.K. leaving the EU without a deal, uninterrupted personal data flows are critical for many U.K. businesses’ processes and all trading activity (e.g., a wide range of financial services activities require the transfer of personal data, including the servicing of cross-border contracts and payments).

On 12 February 2019 the European Data Protection Board (EDPB) published (as the Italian Data Protection Authority (the “Garante”) also reported[2] ) the document “Information note on data transfers under the GDPR in the event of a no-deal Brexit” (the “EDPB No-Deal Note”[3]). The EDPB No-Deal Note, addressed to commercial entities and public authorities[4], clarifies the legal consequences on transfers of data to the United Kingdom if the concerned institutions do not find an agreement within the Exit Date (initially 29 March 2019, now extended to 12 April 2019), and explains the various data transfer mechanisms and derogations under the GDPR. On the same date, the European Data Protection Board also published a specific “Information note on BCRs (Binding Corporate Rules) for companies which have ICO (Information Commissioner’s Office, the U.K. regulator) as BCR Lead Supervisory Authority”,[5] providing clarifications on the role of the ICO regarding Binding Corporate Rules (BCRs), internal rules for data transfers within multinational companies, in the event of a no-deal Brexit.

At the moment, as all options regarding Brexit are still on the table, both scenarios, ratification or not, must be taken into consideration.

I. Withdrawal Agreement ratified before the Exit Date

As provided by the Withdrawal Agreement[6] in case of its ratification, European data protection rules (including the GDPR) will continue to apply within the U.K. and for data obtained from the U.K. for the Transition Period of 21 months, which—pursuant to the Withdrawal Agreement—runs from 30 March 2019 to 31 December 2020, if not extended. As explained by the National Commission for Data Protection [7] (Commission nationale pour la protection des données), after the end of the Transition Period, pursuant to the Withdrawal Agreement:

the United Kingdom must continue applying the EU data protection rules to the personal data exchanged between the United Kingdom and the Members States of the European Economic Area, until the European Union has established, by way of a formal, so-called “adequacy decision” pursuant to Article 45 of the General Data Protection Regulation, that the personal data protection regime of the United Kingdom provides data protection safeguards which are “essentially equivalent” to those in the European Union.[8]

II. Withdrawal Agreement not ratified by the Exit Date – Implications on Data flows from the EEA to the U.K.

If no deal is agreed upon on the exit date and unless the European Council, in agreement with the Member State concerned, unanimously decide to extend the two years’ period—as provided by Article 50 of the Treaty on European Union—starting at 00.00 CET on the day after the Exit Date the European Union Law will cease to apply in the United Kingdom and the U.K. will become effectively a third country under the GDPR. As a consequence, it will be necessary for every enterprise to review internal policies in compliance with the five steps recommended by the EDPB.

In particular, any organization should:

Identify what processing activities will imply a personal data transfer to the U.K.,

Determine the appropriate data transfer instrument based on the specific situation of each organization (see below),

Implement the chosen data transfer instrument to be ready for the Exit Date,

Indicate in the internal documentation of the organization that transfers will be made to the U.K., and

Update the privacy notice of the organization accordingly to inform individuals.

The U.K. would need to seek adequacy decisions[9] from the EU, but, at the moment, there is no such adequacy decision in place for the U.K. As mentioned by the U.K. Government in the paper on the implications of the U.K. leaving the EU without a deal, the EU said they will not adopt an adequacy decision “until the UK is a third country. Therefore, in the event of a no deal exit, there would be a gap in the lawful free flow of personal data while the assessment takes place. Alternative legal bases to enable the continued lawful flow of data, in the absence of adequacy, are available.”

Therefore, the EDPB No-Deal Note enlists the following available data transfer instruments (point 2 above), which represent (pursuant to article 46 of the GDPR, thus on condition that enforceable data subject rights and effective legal remedies for data subjects are available) the appropriate safeguards that must be provided by the controller or processor in order to permit a controller or processor to transfer personal data to a third country or an international organization:

A. Standard or ad hoc Data Protection Clauses

The European organization and the U.K. counterpart may agree on the use of Standard Data Protection Clauses[10] adopted by the Commission or by a supervisory authority and approved by the European Commission. These clauses cannot be changed and, if added to a wider contract, should not be undermined by the other parts of the contract. Considering the timeframe before the Exit Date, the EDPB acknowledges that the Standard Data Protection Clauses are a ready-to-use instrument.

However parties’ autonomy is not limited since it is possible to shape the content of the clauses in order to create appropriate safeguards that take into account a particular situation; this will imply that they are considered as ad hoc contractual clauses and therefore must be approved by the competent national supervisory authority in accordance with the positive opinion of the EDPB.

B. Binding Corporate Rules (BCR)

Personal data protection policies adhered to by a group of undertakings (i.e., multinationals) and which provide appropriate safeguards for transfers of personal data within the group, including outside of the EEA, are referred to as Binding Corporate Rules under article 47 of the GDPR. If not already in place, the BCRs must to be approved by the competent national supervisory authority after the opinion issued by EDPB.

C. Codes of Conduct and Certification Mechanisms

Appropriate safeguards for transfers of personal data may also be offered by a code of conduct or a certification mechanism, provided that these instruments contain binding and enforceable commitments by the organization in the third country for the benefit of the individuals. Given that this option was introduced for the first time by the GDPR, specific guidelines for using these tools will be issued by the EDPB.

In the absence of an adequacy decision or of one of the appropriate safeguards mentioned above, transfers of personal data to the United Kingdom may take place only under certain conditions, which have to be regarded as exceptions and must therefore be interpreted restrictively.

As mentioned by the EDPB No-Deal Note, these derogations, provided by article 49 GDPR, include amongst others: (i) if the data subject has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks for the data subject associated with the transfer; (ii) if the data transfer is necessary for the performance or the conclusion of a contract between the data subject and the controller or the contract is concluded in the interest of the data subject; (iii) if the transfer is necessary for important reasons of public interest; (iv) if the transfer is necessary for the establishment, exercise, or defence of legal claims; (v) if the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; and (vi) if the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. Lastly, only if the data transfer is occasional, not repetitive, and concerns only a limited number of data subjects, said transfer to the U.K. may take place only if the transfer is necessary for the purposes of compelling legitimate interests pursued by the organization (under further additional conditions enunciated in article 49 of the GDPR, which include also that the legitimate interests of the controller are not overridden by the interests or rights and freedoms of the data subject).

The EDPB Guidelines on Article 49 of GDPR[11] provide further explanations on available derogations and their application.

III. Data transfers from the U.K. to EEA Members in case of a No-deal Brexit

Our analysis has focused on the transfer of personal data from the EEA to the U.K., but the opposite process is not in a legal vacuum.

The EDPB No-Deal Note explains that, as regards data flows from the U.K. to any EU/EEA country, this type of transfer will be regulated in compliance with the current rules. According to the U.K. Government,[12] the current practice, which permits personal data to flow freely from the U.K. to the EEA, will continue uninterrupted in the event of a no-deal Brexit (see also the U.K. Government’s updated “no deal” data protection guidance of 13 February 2019[13] ).

IV. Conclusions

The political uncertainties given the different scenarios imply that businesses must prepare for a “No Deal” Brexit in relation to the processing and transfer of personal data.

As underlined by the U.K. Government,[14] while they would like the European Commission to adopt an adequacy decision with respect of the U.K. as soon as possible, they do not expect an adequacy decision to have been made in case of exit, at the time of exit. Therefore, as explained by the U.K. Government in the paper issued on 26 February 2019 on the implications of the U.K. leaving the EU without a deal, “to prepare for a no-deal scenario, many UK businesses need to work with their EU partners to secure a legal basis for the continued transfer of personal data from the EEA to the UK. Businesses are at varied levels of readiness and the Government is engaging widely to increase awareness of actions that businesses can take.”

Entities concerned must assess the “appropriate safeguards” referred to in Article 46 of the GDPR in order to determine which one would be most suitable for their situation and ensure that it is in place at the Exit Date.

[4] In addition to the topics covered in this article, the EDPB note also contains a brief explanation of the legally binding and enforceable instruments exclusively available to public authorities or bodies.

[9] “An adequacy decision is a decision adopted by the European Commission on the basis of article 45 GDPR.

[10] “In particular, three sets of Standard Data Protection Clauses are currently available: (i) from the EEA controller to a third country (e.g., U.K.) controller, see 2001/497/EC and 2004/915/EC; and (ii) from the EEA controller to a third country (e.g., U.K.) processor, see 2010/87/EU.

[14] Seehttps://www.gov.uk/guidance/using-personal-data-after-brexit as well as the notes of Elizabeth Denham, the UK’s Information Commissioner, on the ICO blog: “Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.”.